Findings
Convert AI governance risk flags into audit-style findings using condition, criteria, cause, risk/effect, and recommendation.
OpenAI API Usage Increased Without Complete Approval Evidence
OpenAI API usage increased 39% from the prior month, but approval evidence and usage review documentation were only partially available.
AI and cloud/API usage should have documented approval, assigned ownership, business purpose, and periodic review when costs or usage materially increase.
The department expanded API usage before updating governance documentation and review evidence.
Increased AI/API usage without complete approval evidence may result in unreviewed costs, unclear accountability, and weak audit evidence over AI tool governance.
Management should document approval evidence, confirm the business purpose, review the usage increase, and assign periodic monitoring responsibility.
Claude API Lacks Assigned Business Owner
Claude API is active for engineering sandbox and internal testing, but no accountable business owner is documented.
AI tools and API services should have an assigned business owner responsible for usage, approval, documentation, and ongoing review.
The tool appears to have been adopted for testing before ownership responsibilities were formally assigned.
Lack of ownership may delay review, approval, cost monitoring, and remediation of AI governance issues.
Management should assign a business owner, document the tool purpose, and confirm approval and monitoring responsibilities.
Midjourney Has No Documented Business Purpose
Midjourney is listed as active, but the business purpose and approval evidence are not documented.
AI tools should have a documented business purpose, approved use case, and evidence supporting authorized use.
Creative AI tools may have been adopted informally before the inventory and approval process was completed.
Tools without documented purpose may create unnecessary cost, duplicate functionality, or unclear policy exceptions.
Management should document the approved use case, confirm ownership, and determine whether the tool should remain active.
Duplicate AI Capability Identified Across Productivity Tools
Gemini Workspace and Microsoft Copilot appear to provide overlapping AI productivity capabilities for the same department.
AI tool usage should be reviewed for duplication, cost efficiency, business need, and alignment with approved enterprise tools.
Departments may have adopted separate AI tools without a centralized review of overlapping functionality.
Duplicate AI tools may increase cost, fragment governance oversight, and reduce consistency in approved AI usage.
Management should compare the tools, evaluate business need, and determine whether consolidation or additional approval is required.
AWS Bedrock Policy Exception Requires Management Review
AWS Bedrock usage was identified with a policy exception and partial supporting evidence.
Policy exceptions should be documented, reviewed, approved, and monitored by the appropriate management owner.
Model testing activity may have moved forward before the exception process was fully documented.
Unreviewed policy exceptions may create inconsistent governance, unclear risk acceptance, and weak evidence for management reporting.
Management should complete the policy exception review, document approval, and define monitoring requirements.
Findings Preparation Notes
2 of 5 steps completed
- Confirm finding language is supported by evidenceDone
- Validate severity ratingsDone
- Confirm management owner for each findingPending
- Prepare findings for export reportPending
- Mark final findings as ready for reportPending
Sample data only. Built as an independent AI governance workflow and reporting prototype. This demo does not provide legal advice, compliance certification, audit assurance, or regulatory assurance.